---
title: Integrate with Stripe
sidebar_label: Stripe
support_level: community
---

## What is Stripe

> Stripe is a financial infrastructure platform that enables businesses to accept online and in-person payments, embed financial services, and build custom revenue models.
>
> -- https://stripe.com

## Preparation

The following placeholders are used in this guide:

- `authentik.company` is the FQDN of the authentik installation.

:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::

## authentik configuration

To support the integration of Stripe with authentik, you need to create a group, a property mapping, and an application/provider pair in authentik.

### Create a user group in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Groups** and click **Create**.
3. Set a name for the group (e.g. `Stripe Admins`).
4. In the **Attributes** field enter: `stripe_role: admin`. Other account types are also supported, see the [Stripe SSO Documentation](https://docs.stripe.com/get-started/account/sso/other#configuring-your-identity-provider)
5. Click **Create**.
6. Then, click the name of the newly created group and navigate to the **Users** tab.
7. Click **Add existing user**, select the user that needs Stripe admin access and click **Add**.

### Create a property mapping in authentik

1.  Log in to authentik as an administrator and open the authentik Admin interface.
2.  Navigate to **Customization** > **Property Mappings** and click **Create**. Then, create a **SAML Provider Property Mapping** using the following settings:

        - **Name**: `Stripe Role`
        - **SAML Attribute Name**: `Stripe-Role-<stripe-account-id>` Can be found [here](https://dashboard.stripe.com/settings/account)
        - **Friendly Name**: Leave blank
        - **Expression**:

        ```python
        return request.user.group_attributes().get("stripe_role", "")
        ```

    :::note
    To find your Stripe account ID, log in to your Stripe dashboard and navigate to **Settings** > **Account** > **Account details**. You'll find your account ID, which starts with `acct_`, displayed on the right-hand side.
    :::

### Create an application and provider in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://dashboard.stripe.com/login/saml/consume`.
        - Set the **Audience** to `https://dashboard.stripe.com/saml/metadata`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**:
            - Set an available signing certificate.
            - Add the previously created `Stripe Role` property mapping to **Selected User Property Mappings**.
            - Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`.

    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

3. Click **Submit** to save the new application and provider.

### Download certificate file

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for Stripe`).
3. Under **Related objects** > **Download signing certificate**, click on **Download**. This downloaded file is your `Certificate` file and it will be required in the next section.

## Stripe configuration

1. Log in to the [Stripe administrator user authentication page](https://dashboard.stripe.com/account/user_authentication) as an administrator.
2. Click on the **Settings** cogwheel, and navigate to **Team and security** > **Single sign-on (SSO)**.
3. Click **Add domain**, then input the domain that SSO users will use. For more information, see the [Stripe Proving Domain Owenership documentation](https://docs.stripe.com/get-started/account/sso/other#proving-domain-verification).
4. Once your domain is verified, click on the 3 dots next to the domain name, and click **Manage SSO Settings**.
5. Enter the following settings:
    - **Identity Provider URL**: `https://auth.domain.com/application/saml/stripe/sso/binding/redirect/`
    - **Issuer ID**: `authentik`
    - **Identity Provider Certificate**: Paste in the contents of your authentik signing certificate.

6. Click **Continue**.
7. Enter the email address of an authentik user designated for testing the SSO configuration and click **Continue**. Ensure that the user belongs to the appropriate authentik group. After logging in on authentik, you will be redirected back to Stripe.
8. If the test is successful, click **Continue**. Otherwise, verify your configuration and try again.
9. Choose the **SSO Enforcement** setting. Selecting `Required` mandates that users use authentik to log in, whereas `Optional` allows users to choose between authentik and the standard Stripe login.
10. Click **Save**.

## Configuration verification

To verify that authentik is properly integrated with Stripe, first sign out of your account. Then, navigate to the [Stripe dashboard login page](https://dashboard.stripe.com/login) and then click **Sign in with SSO**. Enter an email address that’s provisioned for SSO, and click **Continue with SSO**. You will then be redirected to authentik for authentication before being sent back to the Stripe dashboard.

## Resources

- [Stripe documentation - Single sign-on with a SAML provider](https://docs.stripe.com/get-started/account/sso/other)
